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Abstract 
This document updates the security considerations for the MD5 message 
digest algorithm. It also updates the security considerations for 
HMAC-MD5. 
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Les 


Introduction 


MD5 [MD5] is a message digest algorithm that takes as input a message 
of arbitrary length and produces as output a 128-bit "fingerprint" or 
"message digest" of the input. The published attacks against MD5 
show that it is not prudent to use MD5 when collision resistance is 
required. This document replaces the security considerations in RFC 
1321 [MD5]. 


[HMAC] defined a mechanism for message authentication using 
cryptographic hash functions. Any message digest algorithm can be 
used, but the cryptographic strength of HMAC depends on the 
properties of the underlying hash function. [HMAC-MD5] defined test 
cases for HMAC-MD5. This document updates the security 
considerations in [HMAC], which [HMAC-MD5] points to for its security 
considerations. 


[HASH-Attack] summarizes the use of hashes in many protocols and 
discusses how attacks against a message digest algorithm’s one-way 
and collision-free properties affect and do not affect Internet 
protocols. Familiarity with [HASH-Attack] is assumed. One of the 
uses of message digest algorithms in [HASH-Attack] was integrity 
protection. Where the MD5 checksum is used inline with the protocol 
solely to protect against errors, an MD5 checksum is still an 
acceptable use. Applications and protocols need to clearly state in 
their security considerations what security services, if any, are 
expected from the MD5 checksum. In fact, any application and 
protocol that employs MD5 for any purpose needs to clearly state the 
expected security services from their use of MD5. 


Security Considerations 


MD5 was published in 1992 as an Informational RFC. Since that time, 
MD5 has been extensively studied and new cryptographic attacks have 
been discovered. Message digest algorithms are designed to provide 
collision, pre-image, and second pre-image resistance. In addition, 
message digest algorithms are used with a shared secret value for 
message authentication in HMAC, and in this context, some people may 
find the guidance for key lengths and algorithm strengths in 
[SP800-57] and [SP800-131] useful. 


MD5 is no longer acceptable where collision resistance is required 
such as digital signatures. It is not urgent to stop using MD5 in 
other ways, such as HMAC-MD5; however, since MD5 must not be used for 
digital signatures, new protocol designs should not employ HMAC-MD5. 
Alternatives to HMAC-MD5 include HMAC-SHA256 [HMAC] [HMAC-SHA256] and 
[AES-CMAC] when AES is more readily available than a hash function. 
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2.1. Collision Resistance 


Pseudo-collisions for the compress function of MD5 were first 
described in 1993 [denBBO1993]. In 1996, [DOB1995] demonstrated a 
collision pair for the MD5 compression function with a chosen initial 
value. The first paper that demonstrated two collision pairs for MD5 
was published in 2004 [WFLY2004]. The detailed attack techniques for 
MD5 were published at EUROCRYPT 2005 [WAYU2005]. Since then, a lot 
of research results have been published to improve collision attacks 
on MD5. The attacks presented in [KLIM2006] can find MD5 collision in 
about one minute on a standard notebook PC (Intel Pentium, 1.6GHz). 
[STEV2007] claims that it takes 10 seconds or less on a 2.6Ghz 
Pentium4 to find collisions. In [STEV2007], [SLdew2007], 
[SSALMOdeW2009], and [SLdeW2009], the collision attacks on MD5 were 
successfully applied to X.509 certificates. 


Notice that the collision attack on MD5 can also be applied to 
password-based challenge-and-response authentication protocols such 
as the APOP (Authenticated Post Office Protocol) option in POP [POP] 
used in post office authentication as presented in [LEUR2007]. 


In fact, more delicate attacks on MD5 to improve the speed of finding 
collisions have been published recently. However, the aforementioned 
results have provided sufficient reason to eliminate MD5 usage in 
applications where collision resistance is required such as digital 
signatures. 


2.2. Pre-Image and Second Pre-Image Resistance 


Even though the best result can find a pre-image attack of MD5 faster 
than exhaustive search, as presented in [SAAO2009], the complexity 
2°123.4 is still pretty high. 


2.3. HMAC 


The cryptanalysis of HMAC-MD5 is usually conducted together with NMAC 
(Nested MAC) since they are closely related. NMAC uses two 
independent keys K1 and K2 such that NMAC(K1, K2, M) = H(K1, H(K2, 
M), where K1 and K2 are used as secret initialization vectors (IVs) 
for hash function H(IV, M). If we re-write the HMAC equation using 
two secret IVs such that IV2 = H(K Xor ipad) and IV1 = H(K Xor opad), 
then HMAC (K, M) = NMAC(IV1, IV2, M). Here it is very important to 
notice that IV1 and IV2 are not independently selected. 


The first analysis was explored on NMAC-MD5 using related keys in 
[COYI2006]. The partial key recovery attack cannot be extended to 
HMAC-MD5, since for HMAC, recovering partial secret IVs can hardly 
lead to recovering (partial) key K. Another paper presented at 
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Crypto 2007 [FLN2007] extended results of [COYI2006] to a full key 
recovery attack on NMAC-MD5. Since it also uses related key attack, 
it does not seem applicable to HMAC-MD5. 


A EUROCRYPT 2009 paper presented a distinguishing attack on HMAC-MD5 
[WYW2Z22009] without using related keys. It can distinguish an 
instantiation of HMAC with MD5 from an instantiation with a random 
function with 2^97 queries with probability 0.87. This is called 
distinguishing-H. Using the distinguishing attack, it can recover 
some bits of the intermediate status of the second block. However, 
as it is pointed out in [WYWZZ2009], it cannot be used to recover the 
(partial) inner key H(K Xor ipad). It is not obvious how the attack 
can be used to form a forgery attack either. 


The attacks on HMAC-MD5 do not seem to indicate a practical 
vulnerability when used as a message authentication code. 
Considering that the distinguishing-H attack is different from a 
distinguishing-R attack, which distinguishes an HMAC from a random 
function, the practical impact on HMAC usage as a pseudorandom 
function (PRF) such as in a key derivation function is not well 
understood. 


Therefore, it may not be urgent to remove HMAC-MD5 from the existing 
protocols. However, since MD5 must not be used for digital 
signatures, for a new protocol design, a ciphersuite with HMAC-MD5 
should not be included. Options include HMAC-SHA256 [HMAC] 
[HMAC-SHA256] and [AES-CMAC] when AES is more readily available than 
a hash function. 
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